Shorewall users - Dec 2009 - Rules only activ after using tcpdump in promiscuous mode

Hi!

I have a strange problem with shorewall on one of our routers. When i 
configure a rule like

    ACCEPT  loc:192.x.x.x       net     tcp     80

this rules will only work if i do a

    tcpdump -i all port 80

After doing the tcpdump the clientrules works. When i don''t use tcpdump
before the connection will be refused.

Best regards,

    Kai.


------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon''s best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

Kai Szymanski wrote:
> Hi!
> 
> I have a strange problem with shorewall on one of our routers. When i 
> configure a rule like
> 
>     ACCEPT  loc:192.x.x.x       net     tcp     80
> 
> this rules will only work if i do a
> 
>     tcpdump -i all port 80
> 
> After doing the tcpdump the clientrules works. When i don''t use
tcpdump
> before the connection will be refused.
I think you are drawing the wrong conclusion here. Communication may not
work until you tcpdump but it has nothing to do with the Shorewall rule.

I suggest that you look at first the local then the remote interface
when ''it doesn''t work''. And be sure that you
don''t have your two
interfaces cabled to the same switch/hub.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon''s best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

Hi Tom,

of course i don''t have cabled them wrong...otherwise any rules
would''nt
work ;) So the cabling is ok. The "WAN"-Side is connected to a
DSL-Modem, the "LAN"-Side is connected to a switch. Everything but
"tcpdump before rule is active" works.

I do the following: A client call me that he can''t do onlinebanking
(for
example). I know the special software uses tcp port 8000. So i open port
8000 for that client from inside to outside. I restart shorewall
(/etc/init.d/shorewall restart). After that action i try on clientside
if i can connect to port 8000...but it did''nt work. So i wan''t
to find
out why i can''t connect. I do a tcpdump on the firewall (example in
last
email). After that action the rule works.

I try that with several rules. Same procedure every time.

1.	What i will try next week: Does it also work if i don''t start
tcpdump
in promiscuous mode ?

Thanks for your answer!

Best regards,
  Kai.

PS: I use shorewall version 4.0.15, linuxkernel 2.6.26-2-amd64,
iptables v1.4.2.

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon''s best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev